Privacy Policy

Privacy Policy — Tap Scanner

Privacy Policy — Tap Scanner (Web + Mobile)

Last updated: September 14, 2025

Applies to: tap‑scanner.com and subdomains, the TapScanner mobile apps (iOS/Android), and customer support channels (collectively, the “Services”).

Who we are

Controller: Smart media internet marketing ltd., Torat hayahasut 11, Israel (“Tap”, “we”, “us”).

Email (privacy): [email protected]

If you buy a web subscription, your purchase is processed by Paddle as Merchant of Record; your contract for checkout/billing is with Paddle.com (Paddle.com Market Ltd. or Paddle.com Inc.) per Paddle’s Buyer Terms. Paddle acts as an independent controller for buyer/payment data.

At a glance

We process the files you upload only to provide the requested tools (e.g., compress, merge, OCR) and auto‑delete them from processing servers within 24 hours unless you save/share them or keep them in account storage you control.

Mobile: scanning, on‑device edits, and many effects run locally; cloud OCR/AI features use short‑lived, encrypted processing with 24‑hour cache for continuity. (Your current page already discloses AWS/Cloudflare & 24‑hour cache; this policy formalizes it).

Payments on the web are handled by Paddle; we do not receive or store full card numbers. See Paddle’s Privacy Policy and Buyer Terms for checkout data.

We honor Global Privacy Control and other Universal Opt‑Out signals where required (e.g., Colorado). We also provide a “Your Privacy Choices” link for Californians (CPRA).

1. What we collect

  • Account & Contact. Name, email, password hash, team/org info (if applicable), settings, support messages.
  • Payment & Subscription (Web). Order ID, subscription status, plan, country/tax info, and the last 4 digits/expiry via Paddle. Paddle collects payment instrument data directly and provides us with non‑sensitive billing metadata.
  • Files & Content. PDFs, images, and related metadata (e.g., file type/size, page count) that you upload or scan to use the tools.
  • Device/Usage. Device model/OS, app version, coarse IP‑based region, timestamps, crash/diagnostic events, feature engagement, and web telemetry (cookies/SDKs) for security and product improvement.
  • Social/SSO (optional). If you sign in with Apple/Google/Facebook, we receive your basic profile and email from those platforms.
  • Advertising (mobile free tier, if enabled). Mobile ad identifiers and limited device/usage signals to show and measure ads in free versions.
  • Sensitive files. Please do not upload regulated or highly sensitive personal data (e.g., payment cards, health/biometric data, government IDs) unless a tool explicitly supports it and you are legally allowed to process it.

2. Why we process your data (and legal bases)

  • Provide the Services & features (including file processing, OCR, compression, conversion, sync): contract (GDPR Art. 6(1)(b)).
  • Payments, tax, invoices (via Paddle) and compliance: legal obligation (Art. 6(1)(c)) and contract.
  • Security, abuse prevention, service reliability (e.g., fraud, anti‑abuse, rate limiting): legitimate interests (Art. 6(1)(f)).
  • Improve the product & support (diagnostics, analytics, A/B tests): legitimate interests (Art. 6(1)(f)).
  • Marketing emails, optional cookies, AI quality‑improvement opt‑ins: consent (Art. 6(1)(a)).

Where required, we seek consent or offer opt‑out for targeted advertising.

3. File processing & retention

Transient processing. Files you upload to use a tool are processed on our infrastructure (and trusted sub‑processors) and deleted from processing servers within 24 hours unless you choose to save them in your account, share via link, or reopen soon after.

Account storage. If you save a file in your account, we retain it until you delete it or your account is deleted.

Mobile specifics. As disclosed in your current page, images sent for cloud effects/OCR are encrypted and cached for continuity up to 24 hours; many edits stay on‑device.

Backups & logs. Minimal logs/backup copies may persist for up to 30 days (or longer where legally required) and are automatically purged on a rolling basis.

Competitors publicly advertise short deletion windows for uploaded PDFs (e.g., “deleted within hours”). Our windows are aligned with that norm but tuned to your technical reality.

4. Sharing your data

We do not sell your personal information for money. In limited contexts (ads/analytics), we may “share” identifiers for cross‑context behavioral advertising and will offer opt‑out tools (see §10). We share data only with:

  • Payment processor & Merchant of Record – Paddle (checkout, VAT/GST, refunds, fraud screening). See Paddle’s Privacy Policy / Buyer Terms.
  • Cloud hosting/CDN & compute (e.g., AWS, Cloudflare) for secure, performant processing and delivery. Your current policy already mentions these; we continue that practice.
  • Analytics/crash/telemetry to operate and improve the Service.
  • AI infrastructure providers (only when you use an AI tool) under strict contractual controls; we do not allow training on your content unless you opt‑in (see AI Supplement). (Smallpdf publishes a similar commitment for AI features—no model training on customer data by default.)
  • Support tools & email providers to handle tickets/notifications.
  • Legal/Compliance (e.g., to comply with law, enforce terms, defend rights).

We require processors to follow our instructions, apply appropriate security, and not use data for their own purposes.

5. Cookies & tracking (web)

We use essential cookies (security, session) and optional analytics/advertising cookies. Where required, we obtain consent and provide granular controls in Cookie Settings. We honor Global Privacy Control and Universal Opt‑Out signals where applicable (e.g., Colorado CPA).

6. International transfers

We operate globally using reputable providers. When transferring personal data internationally, we use legal safeguards such as the EU Standard Contractual Clauses (SCCs) and, for UK data, the UK IDTA / UK Addendum.

7. Security

We employ industry‑standard protective measures, including TLS in transit, encryption at rest for stored content, access controls, segmented environments, and least‑privilege access. (Comparable PDF tool vendors emphasize TLS, deletion windows, and ISO/IEC 27001 programs publicly.)

8. Your rights

Depending on your location, you may have rights to access, correct, delete, export, or object/limit processing. To exercise rights, contact [email protected] or use Your Privacy Choices on the website.

EEA/UK users. You can withdraw consent anytime; you may complain to your local supervisory authority.

US residents. See US State Privacy Notice (below). We honor GPC/Universal Opt‑Out and provide opt‑out of “sale/share” where required.

9. Minors

The Services are not directed to children under 13. In the EEA/UK, you must meet the applicable digital‑consent age in your country or have verifiable parental consent.

10. US State Privacy Notice (CPRA, CPA, TDPSA, etc.)

We disclose the categories of data described in §1.

  • For Californians, we provide a “Do Not Sell or Share My Personal Information / Your Privacy Choices” link and honor GPC.
  • For Colorado residents, we recognize Universal Opt‑Out for targeted advertising and “sales.”
  • For Texas residents (TDPSA), you have rights to access, delete, correct, portability, and to opt‑out of targeted advertising/sale/profiling.

Implementation of these rights is available via Your Privacy Choices and [email protected].

11. Data retention

We keep personal data only as long as necessary for the purposes above:

  • Files in processing: 24 hours (unless you save/share).
  • Account storage: until you delete or close the account.
  • Billing/tax records: 10 years or as required by law.
  • Backups/logs: 30 days unless needed longer for security/compliance.

12. Changes

We’ll post changes here and, if material, notify you in‑app/email.

13. Contact

Smart media internet marketing ltd.
Address: Torat hayahasut 11, Beer Sheva, Israel
Email: [email protected]
Data Protection Officer + EU/UK Representative : [email protected]